Get Started with Storage Security Rules

In typical apps, developers must build and maintain many servers that perform
authentication, authorization, and data validation, as well as the developer's
business logic. Apps using Cloud Storage for Firebase make use of
Firebase Authentication and Firebase Security Rules for Cloud Storage to handle serverless
authentication, authorization, and data validation.

Using Cloud Storage and Storage Security Rules means that you can focus on
building a great user experience, without having to manage infrastructure or
write complex server-side authentication and authorization code!

Overview

Storage Security Rules are used to determine who has read and write access to
files stored in Cloud Storage, as well as how files are structured and
what metadata they contain. The basic type of rule is the allow rule, which
allows read and write operations if an optionally specified condition is
met. Some examples of rules are:

The context of the rule evaluation is also exposed through the request and
resource objects, which provide information such as the auth context
(request.auth) and the existing object's size (resource.size).

Sample Rules

Note: Before launch, make sure that you evaluate your rules to ensure they
provide the maximum level of security your application needs. Launching your app
with default or public rules may allow unintended or unauthorized access to
your stored data.

Storage Security Rules must first specify the service (in our case
firebase.storage), and the Cloud Storage bucket
(via match /b/{bucket}/o) which rules are
evaluated against. The default rules require Firebase Authentication, but here are
some examples of other common rules with different access control.

During development, you can use the public rules in place of the default
rules to set your files publicly readable and writable. This is very useful for
prototyping, as you can get started without setting up Firebase Authentication.
However, because Cloud Storage shares a bucket with your default
Google App Engine app, this rule also makes any data used by that app
public as well.

User rules allow you to give each of your authenticated users their own personal
file storage. You can also lock down your files entirely by using the private
rules, but be aware that your users won't be able to read or write anything
through Cloud Storage with these rules. Users accessing files from
your Google App Engine app or the GCS APIs may still have access.

Edit Rules

Cloud Storage provides an easy way to edit your Storage Security Rules
via the Rules tab in the Firebase console Storage section.
In the Rules tab, you can quickly and easily view and edit your current
rules. These rules are deployed by clicking Publish, or by saving the file
(ctrl/cmd + s). Rules are immediately uploaded to Cloud Storage
servers, but may take up to five minutes to become live.

The Firebase CLI can be used to deploy rules as well. If you select Storage
when running firebase init, a storage.rules file with a copy of the
default rules will be created in
your project directory. You can deploy these rules using the
firebase deploy command. If you have multiple buckets in your project, you
can use deploy targets to deploy rules to all of your
buckets at once from the same project folder.

Note:When you
deploy security rules using the Firebase CLI,
the rules defined in your project directory overwrite any existing rules in the
Firebase console. So, if you choose to define or edit your security rules
using the Firebase console, make sure that you also update the rules defined
in your project directory.

Learn more about how file based security works in the
Secure Files section, or understand user
based security in the User Security
section.